CVE-2012-6111
Publication date 20 December 2019
Last updated 24 July 2024
Ubuntu priority
gnome-keyring does not discard stored secrets when using gnome_keyring_lock_all_sync function
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| gnome-keyring | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
Notes
mdeslaur
In hardy, gnome_keyring_lock_all_sync() was in the gnome-keyring package, and works as expected. In 2.30+ in Lucid+, gnome_keyring_lock_all_sync() is in libgnome-keyring and sends a LockService DBus call to gnome-keyring. This call isn't implemented in lucid+ Nothing in the archive in Oneiric+ actually uses gnome_keyring_lock_all_sync(), so this is low. In Lucid, gnome-power-manager calls this before suspend and hibernation with the intention of locking the keyring. Fixing this in Lucid would result in the user likely having to retype their keyring password when coming out of suspend and hibernation, which is an intrusive change this late in Lucid's lifecycle. Setting this issue as priority low for the reasons above.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |